Deploying Printers to the fleet via Group Policy Preferences

Ahhhhh printers, I am convinced life would be better without them (I don’t even have one at home). None-the-less, printers are a staplemate of businesses across the globe and as SysAdmin’s it is our job to ensure clients have access to the printers all while making it as seamless as possible.

Over the seven years I have been at my current place of employment, I have gone from deploy printers via KIX script (more or less net use with variables) to Group Policy and finally Group Policy Preferences. Despite using 3 different methods not one has worked satisfactory… that is until now.

Before I get into the Group Policy deployment side of things I will first give you an idea of the environment I am working with.

  • Windows Server 2008 Print Server / Domain Controller (could have gone 08 R2 but didn’t want the headache of x64 drivers AND x86 drivers)
  • 30+ different print queues with varying models and brands ranging from HP Black & White Lasers to Xerox Multifunction Devices (fancy name for Photocopiers that can fax/print/scan/copy)
  • Windows 7 SP1 clients predominately with a scattering of Vista and XP clients (all x86)
  • Majority of the clients DO NOT have administrative privileges and thus are standard users

With the above in mind lets dig into the Printer Group Policy I use:

In the below section we share our each printer queue that is to be deployed via Group Policy:

User Configuration>Preferences>Control Panel Settings>Printers

Go ahead and create a new Shared Printer with the following properties:

 

The three important bits is the Action is set to Create, Share path is set to the SMB share path of your printer (use the button to browse and point the printer if you do not know the path from memory) and that Run in logged-on user’s security context (user policy option) is ticked.

Now according to Microsoft, all that is left is to apply the policy to your choice of Organisational Unit and you should have printers being deploy left, right and centre. Depending on your environment this could be true however in our case this is not enough.

In the same Policy we are adding the printers go to the below sections and add the following:

Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>User Rights Assignment

  • Load and unload device drivers
    • BUILTIN\Users

Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>Security Options

  • Devices: Prevent users from installing printer drivers
    • Disabled

If it is not obvious already the above to settings will allow standard users to install printer drivers. Makes sense right?

Now with the above complete this was enough for most of our printer queues to be deployed without issue. Unfortunately & weirdly all our copiers refused to deploy (along with a couple of lasers). I am unsure what the technical reason that connects all these printers together but after reading what others have done when deploying printers via Group Policy Preferences I applied the next few policies:

Computer Configuration>Policies>Administrative Templates>Printers

  • Only use Package Point and print
    • Disabled
  • Package Point and print – Approved Servers
    • Disabled
  • Point and Print Restrictions
    • Disabled

With the above applied, all 30+ printer queues came through.

With this many printer queues, logon times are significantly increased upon first logon to a machine while the drivers are pulled from the Print Server and installed. On shared machines this can be frustrating to the end user (1:1 machines aren’t affected as subsequent logins do not have to reapply the policy unless there is a change) so my next task is to test if deploying the printers in Computer Configuration rather than User Configuration will only install the printers upon first domain user login and any subsequent domain user login will use the existing drivers/configuration.

Now go forth and give them all the printers they can handle!

James Written by:

5 Comments

  1. Ivan Dretvic
    15/11/2013
    Reply

    Great article! Really helps explain deploying printers via GPP in a well written and clear to understand article.

    Here
    is something i have finally got around to writing that i though may
    interest you. Basically it allows you to help customise what printers
    are ‘available’ in the network scan when adding a network printer. Made
    our users lives real easy to use, and it dynamically changes when they
    move around to different offices.

    I just wished our building was
    using more subnet’s as this would have meant i could have tailored it to
    the different parts of our head office.

    Managing location based printers in an enterprise environment
    http://ivan.dretvic.com/2013/11/managing-location-based-printers-in-an-enterprise-environment/

    • 15/11/2013
      Reply

      Just had a look through your article Ivan and it’s a great piece. Definitely a must do for those with many branch offices.
      Unfortunately in my environment, all our printers are on the one VLAN and each Lab has its own VLAN (to minimise broadcasts and cross-chatter) so subnet-based locations wouldn’t work to well (based off the printer).
      None-the-less a fantastic write up. I shall share across my networks.
      Thanks for the reference. Very appreciative!

      • Ivan Dretvic
        15/11/2013
        Reply

        Hi James,
        The subnet-based locations actually worked off the client, not the printer. So in an environment where each lab has its own VLAN, you would configure the GPP to set the registry key of *LAB1* with Item Level Targeting of Subnet 192.168.1.x (example).
        When a client logs on, and GPP processes, it will update the search field thus only displaying printers that have the word LAB1 in the location field. Solution would not work where PC’s are moving frequently due to the frequency of GPO processing however there are ways to improve that as well. (watcher service that runs GPUPDATE whenever the IP changes, for example)
        Cheers,
        Ivan

        • 15/11/2013
          Reply

          Well that’s perfect then! I don’t have access to GP at the moment so I couldn’t confirm (only presume).
          Regarding mobile clients, I am positive Server 2012 introduced location-based printing support that could help with this. Might be worth checking out and adding to the post?

Helpful? Have a question on the above?